Tuesday, August 29, 2006

Perpwatch 30 months for hiring DDoS attack, 5 years for botherding

Monday, August 28, 2006

Secret hold? No such thing

Cox news reports that a Senator put a 'secret hold' on a bill to open federal records.

There is in fact no such procedure. The only way that a bill can be halted in the Senate is if the Majority party decides not to bring it to the floor or if there is a filibuster.

The Senate observes a set of 'gentleman's agreements' that allow for this type of thing but it is the majority party that decides to observe them or not. If one Senator could in fact exercise a secret veto on any measure they chose to nothing would ever get done. What is really happening here is that a senator has asked the majority leader to block the bill and the majority leader has agreed.

Pretending that such a mechanism does in fact exists allow the majority party to avoid accountability for their actions. It only works as long as the media is willing to go along with the charade. Unlike the mainstream media bloggers have no vested interest in maintaining the status quo. Bloggers do not get favored access to politicians.

Congress will eventually yield to demands for accountability and transparency, a political system where secret holds are put on legislation and secret earmarks are used to reward campaign contributors is simply not sustainable in the blogging age.

Thursday, August 24, 2006

Is President Bush Stupid?

As I made lunch I thought about Stephen Jay Gould's Mismeasure of Man and the general US preference for alleged measures of academic ability over academic achievement.

As Gould points out this preferrence was historically motivated in large part by racism. Far from being 'culture neutral' as proponents claim to this day IQ tests are both learnable and have marked culture biases. I know from first hand experience that it is possible to increase your IQ score by practice. Entry to the Senior school at King's was by public examination. Pupils at the junior school like myself practiced taking IQ tests every week. By the end my score had improved by at least a standard deviation despite the fact that the tests got harder towards the back of the book.

The insufficiently remarked upon corrolary of the claim that IQ tests measure an innate unchangable quality is that it precludes any possibility of improvement. This is especially ironic in view of the fact that the original purpose of the tests was precisely to tract the response of mentally deficient patients to remedial therapy.

So now we have Conservative commentators asking the same question Liberals asked eight years ago, is George W. Bush an idiot?

Since 'idiot' is a clinical term the answer is clearly no. But the US debate then goes on to ask if someone can be intelligent despite displaying no intellectual curiosity.

Mental capacity is just like any other human capability, it is not possible to acieve peak performance without training and frequent practice.

Tuesday, August 22, 2006

JonBenet mania

CNN's saturation coverage of JonBenet continues and will continue. If WW III and the second comming were to happen CNN would still lead on Karr's in-flight catering selections.

The phrase 'unfounded media speculation' keeps comming up. You would never know that CNN was the principal cheerleader on this story for the past ten years and that the 'speculation' being referred to was by the same talking heads appearing on screen today. The CNN coverage consists of talking heads speculating wildly interspersed with video of the Colorado police asking people not to speculate, followed by the talking heads speculating about the police statement.

The suspect is clearly a serious security concern. It does not appear very likely that his confession is genuine and the confession itself is not actually of murder but there is clearly something wrong.

Thursday, August 17, 2006

The Register on feasibility of liquid explosives

It two decades since I did anything related to manufacture of explosives but The Register seems to have it right.

Binary explosives would be very hard to use on an aircraft for the simple reason that combining the two components means you are in effect setting up a small munitions factory. If the explosive goes off prematurely you get a fizzle.

TATP is so notoriously unstable that one of the cues Israel uses to identify likely 'engineers' - bomb makers is noting who is missing a finger or two.

There are some binary explosives that are used commercially. Ammonium Nitrate/Fuel Oil (ANFO) is widely used in mining and was the explosive Timothy McVeigh used in the Oklahoma City bombing. But ANFO requires confinement to go off properly and the raw materials both have a pretty powerful smell. The prospects for chemical detection are pretty good.

Wednesday, August 16, 2006

"Faux" Disclosure

Adam takes Bruce to task on "Faux" Disclosure.

I agree with Adam here. Full Disclosure is sometimes a necessary tool. In the early 1990s most O/S vendors had a shockingly negligent approach to security and in some cases the only way to get a response was to embarrass the vendor with full public disclosure.

My personal situation at the time was that I worked closely with the security groups at the companies concerned and did not want to jeopardize that relationship.

The situation today is completely different. Most vendors have security religion and they will make serious attempts to correct security bugs when they are notified that they exist and the problem can be reproduced. Computers are complex and as the Iranian situation demonstrates ascribing cause can be difficult, it is not practical for someone outside Israel to determine the authenticity of an attack that is predicated as only being directed at IP addresses in Israel.

What concerns me is that Full Disclosure has real costs. Releasing information has benefits but the benefits are not guaranteed to outweigh the costs. Most of the purported benefits of full disclosure are met by partial disclosure that only reaches a select number of parties with significant assets to protect and strong economic leverage over the vendors to pressure them to comply. If a vendor is not being responsive to a security issue I do not need to tell anyone other than the CIOs and CISOs of their top 10 customer accounts.

Giving exploit information to the bad guys does not make us more secure. It may be an acceptable price in certain situations but giving the bad guys weapons does not make us more safe.

The other aspect of full disclosure that concerns me is the fact that it seems to be rather too effective as a career move. I don't do full disclosure, if the bad guys haven't thought about something yet I am not going to be the first person to talk about it in public. Its somewhat frustrating when someone gets several pages of press coverage for reporting a vulnerability I discovered and reported to the vendor earlier. On the plus side the long term benefits of discretion seem to be greater.

Bringing the problem to general attention without revealling a full exploit appears to me to be a completely sensible approach.

Tuesday, August 15, 2006

Iranian President is cyber-terrorist?

According to several reports, looks like this might be the case: Wonkette has a roundup of links.

The Presidential blog allegedly attempts to download a trojan when there is a request from an Israeli IP address.

The Arab/Israeli cyberwar has been going on for years. It is not suprising that Iran might be involved. But what is absolutely dumbfounding is the idea that the President of a country with 25 million citizens would demean himself this way.

The attack does not appear to be embedded in the blog itself, instead it appears to be a separate attack that is launched at any Israeli IP address that contacts the blog. It would be interesting to know whether this is unique to the Presidential blog or a general feature of the facility.

Either way it is either extreemly amateurish and unprofessional or extreemly amateurish and Machiavelian. Iran's recent policy seems to be to keep international tensions stoked as high as possible. This keeps the oil price high and allows the regime to play the 'foreign threat' card so beloved of dictators.

Update: It is being reported as a bug in Norton Anti-Virus. Which makes more sense.

Monday, August 14, 2006

Viral software licenses strike back

One might expect FSF guru Richard Stallman to support the "no military use" variation of the GPL. But no!

Richard Stallman, the founder of the Free Software movement and author of the GPL, says that while he doesn't support the philosophy of "open source," neither does he believe software developers or distributors have the right to try to control other people's activities through restricting the software they run. "Nonetheless, I don't think the requirement is entirely vacuous, so we cannot disregard it as legally void."

The claim that he does not believe in controlling people's activities might appear to be somewhat strange given the restrictions RMS himself seeks to impose.

What seems to be his real concern here is the idea that people might start attaching their own ideological constraints to code and not just the ones that fuel his own personal obsessions. The pacifist GPL is joined by the animal rights GPL, the pro-life GPL, the pro-choice GPL, Socialist, Reactionary, Libertarian, a GPL for every part of the political spectrum.

What happens when some of that code starts finding its way back into projects such as Linux? We will end up with code that can only be used by Straight male lesbians who have had at least three abortions and are pro-life, support gun control and carry an assault weapon at all times.

What we need is to realize that software needs the equivalent of a 'fair use clause' or more precisely an 'inadvertent infringement' clause. The systems available to track provenance of software are poor. Any body of a million or more lines of code is certain to have some lines that are not correctly licensed.

The correct legal remedy is not to create a cause of action for every possible infringement however inadvertent but to look at the work as a whole. If 80% or even 10% of a work is either unlicensed or has a defective license that is not acceptable. But I have a hard time seeing how a few hundred lines of code should give the owner the right to seek full royalties over a software product containing millions of lines of code as if they had written the whole thing.

(via Slashdot)

Its not just the BBC that loses tapes

One of the biggest acknowledged cultural tagedies in the UK was the wanton destruction of many video recordings taken in the 1960s and 70s. At one point the BBC was planning to wipe the tapes containing the original Monty Python series. Many episodes of Dr Who were lost. Light entertainment suffered particularly badly. Meanwhile every copy of the local news was preserved forever.

The BBC has long since acknowledged this as a blunder and great effort has gone into tracking down and restoring old footage. Regular appeals are made to the public who might have some old recordings. The BBC has even gone to the lengths of developing technology that allows colour from a videotape to be readded to a black and white tape.

So what to make of the news that NASA has lost track of the footage of the moon landings? Did someone miss the historical significance.

Friday, August 11, 2006

Why no references manager

I know that there are hundreds of add on products for Word that manage references. But why does a product that have a gazillion different typefaces and three thousand ways to create mailing lists have no mechanism to manage academic citations?

Word supports Tables of Authorities for the legal profession and has done for years. It would be a trivial matter to provide support for academic citations, merely a change of formatting. But this has not happened.

Microsoft aggressively markets a student and teacher version of Office. Yet this lacks the most basic feature students and academics need.

I guess you have to be there to recognize the stupidity

OK you are carrying a bottle that can't be carried onto the plane as it might be explosive so lets pour it into the tub with all the rest of the stuff that might be explosive in the middle of a large crowd

The liquid is in a perfectly good container. Why empty it out?

This is not the first time Al Qaeda attempted this particular plot, why are there no contingency plans prepared that make sense?

Thursday, August 10, 2006

The great airline security debate

I don't have much to add on the security issues that Bruce, Adam and EKR haven't covered already.

While Perry Metzeger is right in pointing out that it is probably not difficult to usedomestic household items and it probably isn't difficult to create an automatic trigger and put the bomb in carryon the UK police are probably taking precautions in case a missed plotter tries to carry out the attack regardless. While they think they caught all of them it is impossible to be certain until the other plotters are debriefed. If there is a missed plotter out there it is much less likely he can create a new plan with an automatic trigger than continue with the old one.

But as my wife points out, there is likely to be a major affect on all those airlines that have been cutting back on in-flight catering. Until now this has been tolerable because you can buy something much better on the ground than they used to serve in coach class. Now its going to be a six hour flight with the only food available the $8 'snack assortment' presuming that the people the other end of the plane don't buy them all first.

Duty free is also going to be a thing of the past. I never saw the point of lugging bottles round the world to save $2 on duty but its a huge part of the spirits business.

In the UK no carryon is allowed at all apart from the bare essentials. So no laptops. That means losing five hours work on a transatlantic flight (six hours minus the time for takeoff, landing, meals etc.) Presumably this is a temporary measure.

Kaus on the imporance of being bloggy

Mickey Kaus comments on the great Lieberman server meltdown:

It's main value for Lieberman was that it could crash the day before the election and generate sympathetic headlines. In fact, I expect the election-eve Web site crash to now become a staple of politics, like the traditional election-eve discovery of some hateful leaflet attempting to suppress the black vote, which is then used by Democrats to turn out the black vote.

I think he has it right here, Lieberman's campaign didn't know the difference between HTTP and HP Sauce. But Lamont's campaign would have been hurt much worse by the loss of their server.

Marty Kaplan: How to Hack a Diebold Voting Machine | The Huffington Post

Marty Kaplan has posted a new Video Pod: How to Hack a Diebold Voting Machine

He leaves out a few steps from his explanation, in particular he does not explain what you put on the flash drive but his point is that the machines do not have acceptable physical security. Bruce Schneier has blogged on this incessantly, if he does this much longer he will have have no choice but to start a company making trustworthy voting machines.

I doubt that the security weaknesses have been exploited on any significant scale. There are other more effective ways of fixing an election by preventing voters getting to the polls to vote. Even so expect concern over the security of electronic voting machines to become bi-partisan the minute that the Republican party loses an election.

In the meantime there are ways the problems can be fixed using physical security. Ballot boxes have seals on them, why don't these Diebold machines? drill a small hole through the case so that it goes through the top and bottom parts of the case, put a wire through it and attach a seal. Put the whole machine in a tamperproof metal case. Stick a great big honking siren inside that will go off if there is a tampering attempt. Better yet build the voting booths in such a way that the voters cannot touch the CPU box at all, they only need to interact with the screen.

Better yet employ the technology we use in the UK: its called a pencil.

I don't see what good an audit trail does without a method of verifying the audit trail.

Tuesday, August 08, 2006

Lieberman incident confirmed as hacking

The Lieberman campaign confirm that they were taken out by a hacker. In addition to taking out the site itself the hacker deleted email lists and disrupted the Lieberman get out the vote effort.

If true a very bad thing indeed. The point of elections is to convince politicians to hand over power peacefully. That only works if the losers recognize the legitimacy of the process. If Lieberman loses he may point to the hacking effort as a pretext to support his proposed independent run.

We need to find a way to support political campaign sites that provides the highest levels of availability and security without raising the cost to unacceptable levels.

In 1992 I saw the Web as a potential tool to change politics from being money based to being citizen based. The Web allows candidates to reach the electorate directly, to talk in prose rather than soundbites and to have a dialogue with their supporters and potential supporters. Above all the Web allows a candidate with a $100 campaign budget and plenty of volunteers reach people through the Web as effectively as a candidate with a $10 million campaign budget.

1992 was the first year in which a major political campaign had an official Internet presence. The Clinton-Gore campaign run by Jock Gill may not have had a major impact on the outcome of the election but it set the pattern for the Internet campaigns that have followed.

During the 2004 campaign the Democrats used the Web to address what they percieved to be their major vulnerability - their funding disadvantage. Meanwhile the Republicans realized that the Web and Tivo have created a new dynamic where the money no longer matters. Howard Dean proved that in his campaign for the Presidential nomination, never has so much money been spent on a campaign in such a short time with so little result.

During the last campaign we saw phishing attacks against campaign contributors. Now we are seeing hacking and DDoS attacks. We have to solve these problems in a way that does not create a new money barrier.

Update: The Lieberman campaign was on a low budget hosting plan. While the figure $15 is probably spin future campaigns that are spending millions a month on TV campaign ads should probably consider $1000/mo a minimum budget for their hosting services and look for specialist providers who have very large capacity pipes.

Update2: Turns out that the Lieberman campaign paid their Web consultant $1,500 last quarter which does not give him a lot to spend on bandwidth and pay himself (Kos spends $7K each month).

Update3: The state site hosting the results is currently overwhelmed by demand as well.

Monday, August 07, 2006

Incompetence or subtle hacking?

Joe Lieberman's Web site was offline this evening, the primary is tommorow.

One explanation is that the site ran out of money as the page suggests. Another is that the site was hacked by someone who realized that failing to pay the bills is a worse comment on a political campagin than having a vulnerable Web site.

Update: The Lieberman campaign claims that it was 'hacked' through an organized downloading campaign that apparently caused the site to overrun their paid bandwidth allotment. This sounds more like a large traffic spike than the sort of SYN flood DDoS that is used by hackers. Absent actual proof of collusion it is not easy to know whether the claim is credible or not. One would expect an upturn in traffic just before the election day.

Either way it suggests that hosting campaign sites is going to be an interesting challenge in November. Regardless of whether this was incompetence or an actual attack the next one will be deliberate and the one after that and the hundred after that.

Thursday, August 03, 2006

Legislating virtue

Over on Emerging Chaos Adam responds to my point that too many mandatory warning notices might be a bad idea. Quite what his response might mean I am not sure:

I don't think people should be more embarrassed about losing data than they are about being mugged. It is very hard to offer good advice, grounded in actuarial analysis, of what makes an effective information security program. Absent that, we have best practices (I declare it a best practice, to, on hearing something described that way, to ask "Why?" seven times.*)

OK so if people should not be embarassed about being mugged what is the utility in forcing them to admit the fact? Or does Adam believe that there might be some benefit to the person who receives the advice?

I have received several of these notices. What am I meant to do differently now that a perpetrator might have access to my social security number?

I am 40 years old, I do not become eligible to collect social security for a quarter century. If someone were to attempt to collect my social security pension in my place their risk/reward ratio would not be good. When people commit social security fraud they are usually continuing to collect the pension of someone who is deceased. Outright impersonation may become a serious problem but even if that happens it will be a quarter century before I am likely to become a victim.

The most likely fraud that would be committed by someone who found out my social security number would be to apply for a loan in my name. This would indeed be a serious problem for the person who lent the money, but its not my problem unless the lender somehow manages to convince a court that I was the borrower.

The warning notice is much more useful to me because of what it tells me about the company that made the mistake than as a guide to action.

Since Adam has only been working for a large company for a short time it is probably too soon to expect him to have experienced a SOX lunacy. On the face of it Sarbanes Oxley is a good idea, make corporate accounts mean what they say they mean. In practice it means that every corporate pen pusher at every company listed on the US markets has suddenly discovered that they give their request for the most trivial information the force of federal law by stating 'this is a Sarbanes-Oxley requirement'.

The legislators certainly could have required disclosure of every imaginable security breach but that would only serve to embarass the companies involved, it would not achieve the legislator's purpose of encouraging adoption of better security practices and stopping the disclosures taking place.

We have to bank somewhere, we have to have some health insurer, we have to have someone manage the dental plan etc. etc. If every company that supplies one of those services is at fault there is nowhere else to take the business, the breach is consequence free.

The Roman's recognized this problem. When a legion failed in a spectacular way it was impossible to punish everyone so they decimated the legion, executing every tenth soldier pour encourager les autres. The same strategy was employed to reform the accounting industry.

Choose your battles and focus on one problem at a time. Securing corporate server IT is a good place to start. Once CISOs have started to get to grips with that problem widen the scope.

Wednesday, August 02, 2006

Open deprecated

I spent the morning converting a piece of C# to C. This is my first use of C since the Visual Studio 2005 came out. As a result it is the first time I have had to deal with the latest POSIX lunacies.

I like Visual Studio as a development environment. But C++ is a drag after using C# or Java.

My biggest complaint about Visual C++ is that they assume that you want to code C++ rather than C. Not in my case. The only feature of C++ that is worth having in my view is single line comments. Everything else is botched or bungled.

So I start off by writing an open file statement open (filename, _RDONLY) and get the complaint back that open was declared obsolete, these days you have to use _open instead. So I switch to _open and get told that I have to use _s_open instead.

There might be a good reason why the C++ folk need to add all these underscores everwhere but there is no good reason to break perfectly good C code to do so.